Lec 8 528 FarinazIBM-TH
-
Upload
atavratbraveheart -
Category
Documents
-
view
214 -
download
0
Transcript of Lec 8 528 FarinazIBM-TH
-
7/27/2019 Lec 8 528 FarinazIBM-TH
1/27
ELEC 528 Lecture
Farinaz Koushanfar, Spring 2009
ECE and CS Depts., Rice University
-
7/27/2019 Lec 8 528 FarinazIBM-TH
2/27
Introduction
Outsourcing of IC manufacturing
Threat: addition of Trojan horse (TH) circuitry Hard (or impossible) to detect by functional tests
It may be triggerable, not always active hidden
General circuit obfuscation to make it hard to insert TH at thefoundry is almost impossible
They propose a side-channel based approach
The techniques requires destructive testing of a few ICs
The rest of the ICs will be nondestructively validated byside-channel analysis for the absence of any significantlysized Trojans
-
7/27/2019 Lec 8 528 FarinazIBM-TH
3/27
Side-channel analysis (SCA)
techniques These techniques are effective even when the
information present within the side channel ismasked with noise
More sophisticated techniques build statistical
models for noise and remove it Their side-channel approach does not require
changes to the current process and practices fordesign and fab
The technique requires additional IC fingerprintgeneration and validation step to be carried outby a trustworthy fab facility
-
7/27/2019 Lec 8 528 FarinazIBM-TH
4/27
Fingerprinting methodology
1. Select a few ICs at random from a family of ICs (i.e.,ICs with thesame mask and manufactured in the same fab).
2. Run sufficient I/O tests multiple times on the selected ICs so as toexercise all of their expected circuitry and collect one or more side-channel signals (power, EM, thermal emissions etc.) from the ICsduring these tests.
3. Use these side-channel signals to build a side-channel fingerprintfor the IC family.
4. Destructively test the selected ICs to validate that they arecompliant to the original specifications.
5. All other ICs from the same family are nondestructively validated by
subjecting them to the same I/O tests and validating that their side-channel signals are consistent with the side-channel fingerprint ofthe family.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
5/27
Trojans and their side-channel
leakage
TH circuits need to be stealthy
TH ICs needs to have the same physical formfactor, pin-out and very similar I/O behavior
TH should wait for a trigger condition thathappens rarely and is hidden to testing, but iseasily triggerable by an attacker
In nondeterministic ICs, it can be more easily
encoded, but still needs to be selective Modern complex IC manufacturing leaves a lot
of room for TH insertion
-
7/27/2019 Lec 8 528 FarinazIBM-TH
6/27
TH Detection via simple SCA
The total power consumption differs, when asizeable component is added
Run the IC at a low frequency
Since the dynamic power is linearly dependent on
the clock freq. and the switching and leakage isdependent on the area
Small Trojan horses survive this test
-
7/27/2019 Lec 8 528 FarinazIBM-TH
7/27
SCA The details of the power signals from a non-Trojan AES circuit (green or
grey) with an equivalent area of 4302 2-input NAND gates and a TrojanAES circuit (blue or black) with a 10-bit counter as the Trojan which has anequivalent area of 247 2-input NAND gates.
The left circuit is clocked at 100MHz and sampled at 1 ns intervals and onthe right the circuit is clocked at 500 KHz and sampled at 200 ns intervals.The Trojan in this case is roughly 5.6% of the total circuit size.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
8/27
Statistical PA
Even small THs can be distinguished by statistical analysis.
A simulation of how an average power signal would look like for theTrojan and genuine AES circuits running at 100MHz.
The signal from the genuine AES circuit is shown in green (or grey)and the additional signalintroduced by the Trojan circuit is shown in
black. Limited by the process noise and statistical variations
-
7/27/2019 Lec 8 528 FarinazIBM-TH
9/27
TH detection theory
Consider an IC I, that executes a calculation C.
Consider a power measurement Mdone on Iwhen it isexecuting the computation C.
The power trace obtained in this measurement, r(t;
I;C;M), can be modeled as consisting of fourcomponents: (a) the mean power consumptionp(t;C) (the mean is computed
over several measurements done on several ICs from the samefamily during multiple executions of the calculation C),
(b) process noise np(t; I;C), (c) measurement noise nm(t;M), and
d) possibly an extra power leakage (t; I;C) due to a Trojancircuit in I.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
10/27
TH detection theory (Contd)
The power trace of a genuine IC is
rG(t; I;C;M) =p(t;C) + np(t; I;C) + nm(t;M)
The Trojan IC adds an additionalcomponent to give
rT(t; I;C;M) =p(t;C) + np(t; I;C) + nm(t;M) +
(t; I;C) They ignore measurement noise
-
7/27/2019 Lec 8 528 FarinazIBM-TH
11/27
TH Detection model
Definition 1 Trojan Detection Problem.
Given K genuine ICs I1, I2, . . . , IKand the process
noise signals np(t; I1;C), np(t; I2;C), . . . , np(t; IK;C)
generated by the ICs respectively, during theexecution of the calculation C
Given an IC IK+1with a mean power trace r(t; IK+1;C)
(mean taken over multiple executions of calculation C
with the average p(t;C) subtracted),
how can we determine if the IC IK+1contains a
Trojan circuit?
-
7/27/2019 Lec 8 528 FarinazIBM-TH
12/27
Hypothesis testing
Is the IC genuine or TH?
1. HG: r(t; IK+1;C) = np(t; IK+1;C)
2. HT: r(t; IK+1;C) = np(t; IK+1;C)+
(t; IK+1;C) The problem is viewed as a signal
characterization problem
Characterize the process noise andcheck if the signal under hypothesis
differs from it!
-
7/27/2019 Lec 8 528 FarinazIBM-TH
13/27
Characteristics of noise
Subspace projection Subspace projection, where the signal r(t; IK+1;C) and the process
noise signals np(t; I1;C), np(t; I2;C), . . . , np(t; IK;C) from knowngenuine ICs are projected in a signal subspace where signals fromTrojan and genuine ICs are likely to have different characteristics
The main obstacle in this analysis is that we do not know the Trojan
circuit or what precisely it may be trying to accomplish. The Trojan IC may be monitoring the clock, contents of a register, or
transitions on a bus. The power consumed by the Trojan may becorrelated with the clock, input or output data, result of someintermediate calculation, etc.
In absence of this knowledge apriori, it may seem that nothing shortof a full characterization of the process noise would work.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
14/27
Can subspace projection help?
In their initial experiments, theycould easily find subspaces thatdistinguish b/w signal and noisew/o full characterization
Example: a simple TH circuitwhose power consumption
does not fall when the genuinepower consumption falls
An RSA computation (in greenor gray) with the process noise(in red or dark grey) and theTrojan signal (in black)
simulated via a 5% randomvariation in cell libraries acrossprocesses.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
15/27
Trojan vs. process noise
Trojan power signature and processnoise in one such region of lowactivity in between two modularmultiplications
in such regions, with its relativelymuch larger magnitude the Trojan
contribution to the signal (black)stands out compared to the processnoise (green or grey).
Even when the ICs powerconsumption, and therefore thecorrelated process noise, does notfall relative to the Trojan at any
point in the computation, the TrojanICs can be detected by usingadvanced signal processingtechniques.
They will demonstrate the use ofKarhunen-Lo`eve (KL) expansion
-
7/27/2019 Lec 8 528 FarinazIBM-TH
16/27
KL expansion
-
7/27/2019 Lec 8 528 FarinazIBM-TH
17/27
KL expansion
The KL expansion provides a separationof randomness and the time variations of arandom signal
The sequence Zk(t) is referred to as theeigen value spectrum of a sample thatvaries from a sample to sample and hasno time dependency
The is the eigen vector and fixed froma sample to sample but varies with time
-
7/27/2019 Lec 8 528 FarinazIBM-TH
18/27
Experiment setup RSA circuit RSA circuits, the TH is a comparator or a counter
Their RSA design employs the left-to-right binary square and multiplyexponentiation algorithm.
Has a scalable, pipelined and high radix Montgomery Multiplier (MM)architecture to realize square or multiply operations.
Operand length, word size, pipeline depth in MM circuit are parameterized.
All simulation results in this paper were obtained for a pipeline depth of 8
and word size of 8 bits. The memories to hold operands, exponent and modulus, and the FIFO
memory necessary for the pipeline structure are omitted from thesynthesized RSA circuit.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
19/27
Trojan circuit description
The first TH was a 16-bit counter with an equivalent area of 406 2-input NAND gates which occupies roughly 1.4% of the total circuitarea of the RSA circuits described earlier.
The second Trojan circuit was a simple 8-bit sequentialcomparatorwith an equivalent area of 33 2-input NAND gates.
An even simpler 3-bit combinationalcomparator with an equivalentarea of only 3 2-input NAND gates.
Note that the area of Trojan circuits used in our experiments goesfrom 406 gates to 33 gates to 3 gates, roughly an order ofmagnitude decrease at each step.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
20/27
Exp -1
Experiment 1: 512-Bit RSA Circuit with a 16-Bit Counter Based Trojan and with 2%Parameter Variations
-
7/27/2019 Lec 8 528 FarinazIBM-TH
21/27
Exp -2
Experiment 2: 256-Bit RSA Circuit with
the 16-Bit Counter Based Trojan and
with 5% Parameter Variations
-
7/27/2019 Lec 8 528 FarinazIBM-TH
22/27
Exp - 3
Experiment 3: 256-bit RSA Circuit with
the 8-bit Sequential Comparator Based
TH and with 5% Parameter Variations
Trojan signals (blue or black) inside (top figure) and outside (bottom
figure) the process noise envelopes (green or grey), Experiment 3.
-
7/27/2019 Lec 8 528 FarinazIBM-TH
23/27
Exp - 4
Experiment 4: 256-bit RSA Circuit with
3-bit Combinational Comparator Based
TH and 7.5% Parameter Variations
-
7/27/2019 Lec 8 528 FarinazIBM-TH
24/27
More experiments
-
7/27/2019 Lec 8 528 FarinazIBM-TH
25/27
More experiments
-
7/27/2019 Lec 8 528 FarinazIBM-TH
26/27
More experiments
-
7/27/2019 Lec 8 528 FarinazIBM-TH
27/27
Conclusion
Demonstrated the feasibility of building effective fingerprints for anIC family to detect Trojan ICs.
Designed and synthesized an RSA circuit and three different Trojancircuits.
The power traces obtained from the simulations of these circuits to
built the IC fingerprints. They modeled three sets of process variations by creating random
variations (up to 2%, 5% and 7.5%) in the cell libraries that wereused to synthesize the designs.
In all cases, fairly simple analysis of the power signals coulddistinguish genuine ICs from those containing Trojan circuits down
to 0.01% of the size of the main circuit. In general it is difficult to hide signal distortions introduced by a
Trojan circuit as a Trojan circuit leaks signal in signal subspacesthat are not present in genuine ICs.